[FFmpeg-cvslog] avcodec/dirac_dwt_template: Fix several integer overflows in horizontal_compose_daub97i()
Michael Niedermayer
git at videolan.org
Sat Jul 28 15:43:23 EEST 2018
ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Sun Jul 22 19:11:04 2018 +0200| [69cac9e130dc8c9d2a5b8012011df372974adf35] | committer: Michael Niedermayer
avcodec/dirac_dwt_template: Fix several integer overflows in horizontal_compose_daub97i()
Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
Fixes: 8926/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-6047609228623872
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=69cac9e130dc8c9d2a5b8012011df372974adf35
---
libavcodec/dirac_dwt_template.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/libavcodec/dirac_dwt_template.c b/libavcodec/dirac_dwt_template.c
index 2369c8d15b..5d55d932a1 100644
--- a/libavcodec/dirac_dwt_template.c
+++ b/libavcodec/dirac_dwt_template.c
@@ -190,15 +190,15 @@ static void RENAME(horizontal_compose_daub97i)(uint8_t *_b, uint8_t *_temp, int
// second stage combined with interleave and shift
b0 = b2 = COMPOSE_DAUB97iL0(temp[w2], temp[0], temp[w2]);
- b[0] = (b0 + 1) >> 1;
+ b[0] = ~((~b0) >> 1);
for (x = 1; x < w2; x++) {
b2 = COMPOSE_DAUB97iL0(temp[x+w2-1], temp[x ], temp[x+w2]);
b1 = COMPOSE_DAUB97iH0( b0, temp[x+w2-1], b2 );
- b[2*x-1] = (b1 + 1) >> 1;
- b[2*x ] = (b2 + 1) >> 1;
+ b[2*x-1] = ~((~b1) >> 1);
+ b[2*x ] = ~((~b2) >> 1);
b0 = b2;
}
- b[w-1] = (COMPOSE_DAUB97iH0(b2, temp[w-1], b2) + 1) >> 1;
+ b[w-1] = ~((~COMPOSE_DAUB97iH0(b2, temp[w-1], b2)) >> 1);
}
static void RENAME(vertical_compose_dirac53iH0)(uint8_t *_b0, uint8_t *_b1, uint8_t *_b2,
More information about the ffmpeg-cvslog
mailing list